So to counter this kind of MITM attack the browser (or other SSL-app) should allow the user to store the certificate/root certificate for a certain site, and then provide a warning when it doesn't match the stored one. Doesn't sound that hard, maybe even an extension to Fx could do that?